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DETAILED ACTION 

Claim Rejections - 35 USC § 102 

1. The following is a quotation of the appropriate paragraphs of 35 
U.S.C. 102 that form the basis for the rejections under this section made in this Office 
action: 

A person shall be entitled to a patent unless - 

(e) the invention was described in (1) an application for patent, published under section 122(b), by 
another filed in the United States before the invention by the applicant for patent or (2) a patent 
granted on an application for patent by another filed in the United States before the invention by the 
applicant for patent, except that an international application filed under the treaty defined in section 
351(a) shall have the effects for purposes of this subsection of an application filed in the United States 
only if the international application designated the United States and was published under Article 21(2) 
of such treaty in the English language. 

2. Claims 1-25 are rejected under 35 U.S.C. 102(e) as being anticipated by 
Moran (US 6,647, 400 B1). 

a. Referring to claim 1: 
i. Moran teaches: 

(1) a bus system [i.e., referring to Figure 1, in addition 
to providing CPU 102 access to storage subsystem (that is memory 110, which 
includes RAM), bus 114 can be used to provide access other subsystems and 
devices as well (column 6, lines 13-14). In addition, bus 114 is illustrative of any 
interconnection scheme serving to link the subsystems (column 7, lines 12-14)]; 

(2) a CPU connected to the bus system [i.e., referring to 
Figure 1, In addition to providing CPU 102 access to storage subsystems, bus 114 
can be used to provide access other subsystems and devices as well (column 6, 
lines 12-14)]; 

(3) a RAM connected to the bus system, the RAM being 
divided into pages, each page having an execution flag [i.e., referring to Figure 1, 
CPU 102 is coupled bidirectionally with memory 110, via bus 114, which can 
include a first primary storage, typically a random access memory (RAM), and a 
second primary storage area, typically a read-only memory (ROM), whereby "the 
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RAM being divided into pages, each page having an execution flag" is considered 
to include within memory 110]; 

(4) a memory manager configured to manage the pages 
of the RAM and permit CPU execution of data on pages according to the execution flag 
[i.e., referring to Figure 1, "a memory manager 1 ' is considered to include in 
memory 110 for "configuring to manage the pages of the RAM and permit CPU 
execution of data on pages according to the execution flag"]; 

(5) a program stored within at least one page of the RAM 
[i.e., a primary storage, typically a random access memory (RAM), can also store 
programming instructions and data, in the form of data objects and text objects, 
in addition to other data and instructions for processes operating on CPU 102 
(column 5, lines 49-52)]; and 

(6) a program stack stored within at least one page the 
RAM [i.e., most buffer overflow exploits involving overwriting the control 
information on the process's stack, in which "a program stack" stored in 
memory 110 (column 34, 29-28)], 

(7) wherein the memory manager is configured to 
determine whether the program is susceptible to buffer overflow attacks, and, if so, set 
the execution flag for program stack pages of RAM to deny CPU execution of data on 
the program stack pages of RAM [i.e., referring to Figure 1, "the memory manager" 
is considered to include in memory 110 for "configuring to determine whether the 
program is susceptible to buffer overflow attacks". Currently, the most common 
exploits involve a buffer overflow attacks on SetUID commands. A SetUID (also 
"SUID") command is one that runs with the privileges of the owner of the 
command instead of with the privileges of the user invoking the commands, and 
this attribute is specified by a flag in the permissions for the command (an 
executable file) (column 33, lines 64-67 through column 34, lines 1-3). Almost all 
buffer overflows attack take effect at the very beginning of the execution of the 
program, because the data causing the overflow is supplied as part of the 
command invocation or setup. Hence, the command is subverted (replaced) 
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before it has a chance to perform any of its intended actions. This observation is 
key to the approach used in an embodiment of the invention to detect buffer 
overflow attacks ex post facto (column 34, lines 43-50)]. 

b. Referring to claim 2: 

i. Moran further teaches: 

(1) wherein the memory manager and the CPU are 
configured to deny CPU execution of data by triggering a hardware interrupt [i.e., 
referring to Figure 1, CPU 102 is coupled bidirectionally with memory 110, in 
which "the memory manager" is considered to include in memory 110. It can also 
store programming instructions and data, that is "a hardware interrupt", in the 
form of data objects and text objects, in addition to other data and instructions 
for processes operating on CPU 102. Primary storage typically includes basic 
operating instructions, program code, data and objects used by the CPU 102 to 
perform its functions, that is "to deny CPU execution of data" (column 5, lines 43- 
55)]. 

c. Referring to claim 3: 

i . Moran further teaches: 

(1) a process structure table in data communication with 
the memory manager, wherein the memory manager comprises an annotation API, 
wherein the annotation API is configured to annotate within the process structure table 
the susceptibility of the program to buffer overflow attacks, and wherein the memory 
manager is configured to make the determination of susceptibility to buffer overflow 
attacks with reference to the process structure table [i.e., referring to Figure 1, the 
memory can also store programming instructions and data, that is "a process 
structure table", in the form of data objects and text objects, in addition to other 
data and instructions for processes operating on CPU 102. Primary storage 
typically includes basic operating instructions, program code, data and objects 
used by the CPU 102 to perform its functions, wherein "the memory manager" 
and "an annotation API" are part of the memory which "is configured to annotate 
within the process structure table the susceptibility of the program to buffer 
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overflow attacks" and "is configured to make the determination of susceptibility 
to buffer overflow attacks with reference to the process structure table" (column 
5, lines 43-55)]. 

d. Referring to claims 4, 5. 20, and 21: 

i. These claims have limitations that is similar to those of claim 
3, thus they are rejected with the same rationale applied against claim 3 above. 

e. Referring to claims 6, 7, and 8: 

i. These claims have limitations that is similar to those of 
claims 1 and 3, thus they are rejected with the same rationale applied against claims 1 
and 3 above. 

f. Referring to claim 9: 

i. Moran teaches: 

(1) a memory manager code comprising a set of codes 
operable to direct a data processing system to manage a set of pages within a RAM of 
the data processing system and to permit a CPU of the data processing system to 
execute data on pages according to an execution flag on each of the set of pages; an 
application program code comprising a set of codes operable to direct a data 
processing system to request the memory manager code to establish a program stack 
within at least one page the RAM; and a susceptibility code comprising a set of codes 
operable to direct a data processing system to determine whether the application 
program code is susceptible to buffer overflow attacks, and, if so, set the execution flag 
for the program stack pages to deny CPU execution of data on the program stack pages 
[i.e., referring to Figure 1, memory 110 which can include primary storage for 
storing basic operating instructions, program code, data and objects used by the 
CPU 102 to perform its functions (column 5, lines 43-55). In addition, 
embodiments of the present invention further relate to computer storage 
products with a computer readable medium that contain program code (that is "a 
memory manager code, an application program code, and a susceptibility code") 
for performing various computer-implemented operations (column 6, lines 52-55). 
The computer-readable medium can also be distributed as a data signal 
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embodied in a carrier wave over a network of coupled computer systems so that 
the computer-readable code is stored and executed in a distributed fashion. 
Examples of program code include both machine code, as produced, for example, 
by a compiler, or files containing higher-level code that may be executed using an 
interpreter (column 7, lines 2-8)]. 

g. Referring to claim 10: 

i. This claim has limitations that is similar to those of claim 2, 
thus it is rejected with the same rationale applied against claim 2 above. 

h. Referring to claims 11 and 12: 

i. These claims have limitations that is similar to those of 
claims 3 and 9, thus they are rejected with the same rationale applied against claims 3 
and 9 above. 

i. Referring to claims 13 and 14: 
i. Moran further teaches: 

(1) wherein the memory manager code comprises the 
process structure table code as an API [i.e. the computer storage products with a 
computer readable medium that contain program code (that is "a memory 
manager code, an application program code, and a susceptibility code") for 
performing various computer-implemented operations (column 6, lines 52-55), 
whereby "the process structure table code as an API" is considered to include in 
the program code]. 

j. Referring to claims 15. 16. and 17: 
i. Moran further teaches: 

(1) wherein the application program code further 
comprises a set of codes operable to direct a data processing system to call the 
process structure table code the application program code is susceptible to buffer 
overflow attacks [i.e. the computer storage products with a computer readable 
medium that contain program code (that is "a memory manager code, an 
application program code, and a susceptibility code") for performing various 
computer-implemented operations (column 6, lines 52-55), whereby "a set of 
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codes operable to direct a data processing system to call the process structure 
table code the application program code is susceptible to buffer overflow 
attacks" is considered to include in the program code], and 

(2) the memory manager code further comprises a set of 
codes operable to direct a data processing system to determine susceptibility upon 
receipt of a request to allocate an additional page of RAM for the application program 
code [i.e. the computer storage products with a computer readable medium that 
contain program code (that is "a memory manager code, an application program 
code, and a susceptibility code") for performing various computer-implemented 
operations (column 6, lines 52-55), whereby "a set of codes operable to direct a 
data processing system to determine susceptibility upon receipt of a request to 
allocate an additional page of RAM for the application program code" is 
considered to include in the program code]. 

k. Referring to claim 18, 24. and 25: 

i. This claim has limitations that is similar to those of claim 1, 
thus it is rejected with the same rationale applied against claim 1 above. 
I. Referring to claim 19: 

i. This claim has limitations that is similar to those of claims 1 
and 2, thus it is rejected with the same rationale applied against claims 1 and 2 above, 
m. Referring to claims 20 and 21: 

i. This claim has limitations that is similar to those of claim 3, 
thus it is rejected with the same rationale applied against claim 3 above, 
n. Referring to claims 22 and 23: 

i. This claim has limitations that is similar to those of claims 3 
and 9, thus it is rejected with the same rationale applied against claims 3 and 9 above. 

Response to Argument 
3. Applicant's arguments filed March 24, 2004 have been fully considered 
but they are not persuasive. 

Applicant argues that: 
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"Applicants respectfully assert that Moran does not disclose "a RAM 
connected to the bus system, the RAM being divided into pages, each page having an 
execution flag" as recited in claim 1 and similarly in claims 9 and 18." 

Examiner maintains that: 

In addition to the rejection, Moran also teaches primary storage typically 
includes basic operating instructions, program code (that is "an execution flag"), data 
and objects used by the CPU 102 to perform its functions. Primary storage devices 110 
may also include any suitable computer-readable storage media. In addition, 
embodiments of Moran's invention further relate to computer storage products with a 
computer readable medium that contain program code (that is "an execution flag") for 
performing various computer-implemented operations. The computer-readable medium 
is any data storage device that can store data which can thereafter be read by a 
computer system. The media and program code may be those specially designed and 
constructed for the purposes of Moran's invention, or they may be of the kind well 
known to those of ordinary skill in the computer software arts. Examples of computer- 
readable media include, but are not limited to, all the media mentioned above: magnetic 
media such as hard disks, floppy disks, and magnetic tape; optical media such as CD- 
ROM disks; magneto-optical media such as floptical disks; and specially configured 
hardware devices such as application-specific integrated circuits (ASICs), 
programmable logic devices (PLDs), and ROM and RAM devices (column 6, lines 52 
through column 7, line 1). Moran further teaches the information retained within mass 
storage 112, 120 may be incorporated, if needed, in standard fashion as part of primary 
storage 110 (e.g. RAM) as virtual memory (column 6, lines 9-12). By definition, virtual 
memory (also known as virtual storage), a page is a unit of data storage that is brought 
into real storage (on a personal computer, RAM) from auxiliary storage (on a personal 
computer, usually the hard disk) when a requested item of data is not already in real 
storage (RAM). As it is understood that paging is a technique for implementing virtual 
memory. The virtual address space is divided into a number of fixed-size blocks called 
pages, each of which can be mapped onto any of the physical addresses available on 
the system (see Microsoft Computer Dictionary, Fifth Edition, under "paging", page 388; 
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and SearchWebServices.com Definitions, under "page"). In addition, in a computer's 
RAM, a page is a group of memory cells that are accessed as part of a single operation. 
That is, all the bits in the group of cells are changed at the same time. In some kinds of 
RAM, a page is all the memory cells in the same row of cells. In other kinds of RAM, a 
page may represent some other group of cells than all those in a row (see search 
WebServices.com Definitions, Copyright 2001-2004, under "page") 
Applicant further argues that: 

"Applicants further assert that Moran does not disclose "a memory 
manager configured to manage the pages of the RAM and permit CPU execution of 
data on pages according to the execution flag" as recited in claim 1 and similarly in 
claims 9 and 18." 

Examiner maintains that: 

Moran does teach as shown in Figure 1, a block diagram of a general 
purpose computer system suitable for carrying out the processing in accordance with 
one embodiment of the invention. The computer system depicted in FIG. 1 is made up 
of various subsystems described below, and includes at least an operating system and 
one microprocessor subsystem (also referred to as a central processing unit, or CPU) 
102. CPU 102 is coupled bidirectionally with memory 110 which can include a first 
primary storage, typically a random access memory (RAM), and a second primary 
storage area, typically a read-only memory (ROM). As is well known in the art, primary 
storage can be used as a general storage area and as scratch-pad memory, and can 
also be used to store input data and processed data. It can also store programming 
instructions and data, in the form of data objects and text objects, in addition to other 
data and instructions for processes operating on CPU 102. Also as well known in the 
art, primary storage typically includes basic operating instructions, program code, data 
and objects used by the CPU 102 to perform its functions. Primary storage devices 110 
may include any suitable computer-readable storage media, described below, 
depending on whether, for example, data access needs to be bidirectional or 
unidirectional (column 5, lines 25-58). Furthermore, Moran teaches using a multitasking 
operating system. For example, on a multitasking operating system, processes and 
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threads both allow interleaving of flow of control, both allowing the user of the processor 
to switch from a computation that has reached a point where it can no longer proceed 
(e.g., it is waiting for input from the user) to one that is ready to run) (column 38, lines 
35-40). As it is clearly understood that an operating system is a software or a "memory 
manager" that manages and controls the allocation and usage of hardware resources 
such as memory, central processing unit (CPU) time, disk space and peripheral devices 
(see Microsoft Computer Dictionary, Fifth Edition, page 378). In addition, the operating 
system figures how the computer's main memory will be appointed, how and in what 
order it will handle tasks assigned to it, how it will manage the flow of information into 
and out of the main processor, where in memory it will place material, how it will get 
material to the printer for printing, to the screen for viewing, etc. (see Newton's Telecom 
Dictionary, 19 th Edition, by Harry Newton, page 577). 

Conclusion 

4. Applicant's amendment necessitated the new ground(s) of rejection 
presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See 
MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 
37 CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire 
THREE MONTHS from the mailing date of this action. In the event a first reply is filed 
within TWO MONTHS of the mailing date of this final action and the advisory action is 
not mailed until after the end of the THREE-MONTH shortened statutory period, then 
the shortened statutory period will expire on the date the advisory action is mailed, and 
any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date 
of the advisory action. In no event, however, will the statutory period for reply expire 
later than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from 
the examiner should be directed to Thanhnga (Tanya) Truong whose telephone number 
is 703-305-0327. 

If attempts to reach the examiner by telephone are unsuccessful, the 
examiner's supervisor, Kim Vu can be reached on 703-305-4393. The fax and phone 
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numbers for the organization where this application or proceeding is assigned is 703- 
872-9306. 

Any inquiry of a general nature or relating to the status of this application 
or proceeding should be directed to the receptionist whose telephone number is 703- 



305-3900. 
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